Mozilla plans to establish an automated process which would verify that binaries contain only the code found in the official source repositories, and not spyware secretly added during the build process at the behest of government intelligence agencies. In a blog post entitled Trust but Verify, CTO Brendan Eich and R&D VP Andreas Gal note that governments "may force service operators [such as Mozilla] to enable surveillance (something that seems to have happened in the Lavabit case)" and pledge to develop systems which will make Firefox resistant to this form of tampering.

They allow hundreds of CAs and any of those can be compromised (and the xpi extensions are "signed" by those same certs).

Of course everyone trusts the Turkish government! Doesn't Verisign and Google and Apple send their private keys to the NSA as soon as they are generated?

What happened to Diginotar?

They need to fix the SSL/CA system - that is the screen door in back - instead of replacing a steel door with a vault door in front.

And the CA store is probably not part of the binary.

Also note that any "CA approved" javascript in the background can run, so a MITMed images.amazon.com can completely rewrite (Javascript has the power to delete the current page and replace it with anything else) and redirect the amazon.com page. Or if I had a cert for "google-analytics.com" I would own most "SSL-only" sites.

They also need to build-in noscript, or at least have "don't run 3rd party javascript" by default. Some places have over a dozen other sites that supply javascript.